Solved

How can I span my LAN subnet over MPLS using two Watchguard firewalls?

Posted on 2009-05-14
12
1,935 Views
Last Modified: 2013-11-16
Hi all,

We have a VMWare ESX 3.5 environment at head office with a DR server in a co-lo. We want to use Vizioncore vReplicator to backup servers to the co-lo. The two sites are connected via a 10Mb MPLS routed link and I need to extend my local subnet so that the DR server has an IP address on our subnet for vReplicator to work fully.

We have a Watchguard X750e at head office and was told by Watchguard that if we bought an X550e for the co-lo, the Watchguards could span the subnet over the MPLS.

Now (after we've puchased the unit) Watchguard are backtracking and referring this to the
US. A week and a half later and I still don't have an answer.

Does anyone know if this is possible? If not with Watchguards, is there any other hardware of software that will let me do this?

It's very frustrating as we've made a significant investment on Watchguard's advice, only for them to mess us about now we're ready to implement their solution.

Any advice, greatly appreciated.

Thanks.


0
Comment
Question by:aimvicit
  • 4
  • 4
  • 3
  • +1
12 Comments
 
LVL 1

Expert Comment

by:TheAnimaniac
ID: 24392253
Just a few questions before we get started.
If I understand you correctly, you want to use the same ip range in your co-lo?
I presume your co-lo has already been set up with its own ip range or does it indeed have the same ip range as your HQ?
What is wrong with use aan routed subnet in your co-lo?
0
 

Author Comment

by:aimvicit
ID: 24392802
Hi,

You assume correct, the DR server needs to be on the same subnet as head office. vReplicator ideally needs to be configured with production and DR on the same subnet so you can fail-over to VM's in the DR without any issues with DNS trying to update over two subnets. For example, our Exchange server VM dies and we bring the DR VM up and in recommended configuration this would have the same name and IP. It is possible for it to just have the same name on a different IP, but not recommended for DNS reasons.  

A bridge would be ideal, but don't think the ISP can do it.

Thanks again.
0
 
LVL 32

Accepted Solution

by:
dpk_wal earned 500 total points
ID: 24393463
I do not think that WG would route MPLS over VPN; if you have pure IP traffic then we can create a VPN tunnel between two endpoints with same IP subnet by configuring NAT over IPSec.

Can you advice if you do not do MPLS; and just configure simple VPN tunnel between the end points with NAT over IPSec so same subnet is not a problem, would this solution work for your or not.

Thank you.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 1

Expert Comment

by:TheAnimaniac
ID: 24393928
Your wish includes APR broadcasts for the same ip to work after a failover. I think your better of with a good configured dns. For the DNS ussue you could think of very low TTL values.
0
 

Author Comment

by:aimvicit
ID: 24408252
Hi, are you suggesting using a different subnet with same DNS names? If so, that is a possible scenrio but not one Vizioncore recommend.

Thanks.
0
 
LVL 6

Expert Comment

by:ob1_
ID: 24408288
If I understand correctly the MPLS is probably handled at both ends by a managed router from your ISP - is that the case? If so is the 550e in front of the managed router at the co-lo or is it the other way around?
0
 

Author Comment

by:aimvicit
ID: 24408384
Yes correct, the 550e will be in front of the managed router at the co-lo.
0
 
LVL 6

Expert Comment

by:ob1_
ID: 24408483
Ok. If your Exchange server goes down and the backup server has to come online, will it be sending mail over the MPLS through the main office's internet connection or does it access the internet from the co-lo?
0
 

Author Comment

by:aimvicit
ID: 24408484
We would expect it to get email through the main office connection. We would only ever enable the internet access at the co-lo if we lost the main site (e.g. fire).

Thanks.
0
 
LVL 6

Expert Comment

by:ob1_
ID: 24408534
Ok. You don't need the 550e to expand your subnet to the co-lo. You can just configure the server with the correct IP address. If you can't - then you need to escalate a ticket with your ISP to reconfigure your managed router at your co-lo.

I have a similar setup with WG 550e at corporate office and MPLS running to satellite office. Server @ satellite office connects to managed router and is setup on 192.168.10 subnet whereas corp office is 192.168.1 subnet. So it's a little but different - but I can't imagine that I could not just rename the server ip to 192.168.1.xxx and it would not work just the same.

If it doesnt, like i said, then there is a setting in the managed router that connects the two subnets and this would need to be changed by the ISP - I am not 100% on this part though b/c I didn't implement it.

I would get that working first then add the 550e back into the mix for your failover internet solution. I am pretty sure your internet and MPLS bandwidth are going to come into the co-lo on separate circuits, one of which would be connected to the 550e and one of which will connect to your managed router - then both of those would run into your switch, and then your server.

I don't think in any of this you need to configure the 550e to expand the subnet from the head office.

Let me know how it goes hope this helps.


 - Bob
0
 
LVL 6

Expert Comment

by:ob1_
ID: 24408542
But if your MPLS and internet at main office are the same provider chances of MPLS being up when internet is down are slim - so you might not need 550e at all.
0
 
LVL 1

Expert Comment

by:TheAnimaniac
ID: 24410031
Im indeed suggesting different subnet (which it already has) and you let de server register itself with dns, overwriting the current offline servers ip address with its own. I presume the server at the co-lo is truned off...
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are times where you would like to have access to information that is only available from a different network. This network could be down the hall, or across country. If each of the network sites have access to the internet, you can create a ne…
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

803 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question